If your unix is solaris, it can use LDAPS for an authentication protocol, allowing you to leverage AD as a single account store. Unfortunately, unless you rewrite the GINA, NT/w2k can't leverage a third party directory service. This would allow for not for single signon, which implies that you authenticate once for all trusted systems, but for a reduction in redundant account stores. Single Signon is removing a layer of security as it implies trusts between environmnets. Reducing the number of account stores saves money, reduces complexity, makes it easier on the user as they now only have one password to remember if you require passwords.
Under the model I suggest, passwords become optional, as you can use the win2k CA and rainbow tech or other smart cards to provide strong authentication. This smart card can also store the keys for ssh, if you are using ssh to connect to unix from your win2k systems. Smartcard support is in solaris 9, so I imagine it's out there for other unixes. Now you don't have passwords and their insecurities to worry about. Smartcards are a managed solution, and not a panacea. If they get lost, the users is locked out until a new card is issued. I've done this in a lab, and we are looking into doing it in our production systems. Kerberos has the problem of MS's implementation being a deviation from the standard. Walt > -----Original Message----- > From: Trevor Cushen [mailto:[EMAIL PROTECTED] > Sent: Monday, March 10, 2003 12:19 PM > To: [EMAIL PROTECTED] > Subject: Single Sign On > > > > Has anyone successfully implemented a single sigh on solution in a Unix > / Windows environment? > > If so could you send on product details or a URL to a guide please. > > > NOT Web based, I know there are a few web based solutions but I need it > in an enterprise with Windows NT and up, Linux servers and MS-SQL. > Client has one logon only or single sign on. > > I am looking at kerberos so if I am going down the wrong track please > let me know. > > > > Many thanks > Trevor Cushen > > ****************************************************************** > ************ > > This email and any files transmitted with it are confidential and > intended > solely for the use of the individual or entity to whom they are > addressed. > > If you have received this message in error please notify SYSNET Ltd., at > telephone no: +353-1-2983000 or [EMAIL PROTECTED] > > ****************************************************************** > ************ >